tumblr hit counter

PandaLabs Blog Everything you need to know about Internet threats

PandaLabs Quarterly Report – Q3 2013

Today we are publishing the PandaLabs Quarterly Report, covering the major security news happened during the third quarter of 2013. We take a look at the figures, with yet another record on malware creation, and we cover the main security events that have taken place this quarter, such as the appearance of a new major ransomware family called CryptoLocker or the NSA espionage revelations by Edward Snowden.

You can find the press release here, and the report here. Enjoy!

 

Post to Twitter

  • (1) Comment

Panda Security Answer to Bits of Freedom Open Letter

Bits of Freedom is an international coalition of civil rights organizations and security experts who has recently published an open letter (https://www.bof.nl/live/wp-content/uploads/Letter-to-antivirus-companies-.pdf) where they ask antivirus companies for transparency and ask 4 direct questions. To address their concern, which we believe is also shared by many citizens, we want to answer this questions here:

 

1.  Have you ever detected the use of software by any government (or state actor) for the purpose of surveillance

Yes. Our main goal is to protect users by stopping any infection attempt, and doing that we stop thousands of Trojan attacks on a daily basis. We stop all of them based on the morphology and behaviour of the malware involved, whoever is behind them is not taken into account in order to stop them.

 

2. Have you ever been approached with a request by a government, requesting that the presence of specific software is not detected, or if detected, not notified to the user of your software? And if so, could you provide information on the legal basis of this request, the specific kind of software you were supposed to allow and the period of time which you were supposed to allow this use?

No.

 

3. Have you ever granted such a request? If so, could you provide the same information as in the point mentioned above and the considerations which led to the decision to comply with the request from the government?

No.

 

4. Could you clarify how you would respond to such a request in the future?

We would not comply with such a request. We do detect malware based on technical factors, nothing else. Any government is free to ask for a specific piece of malware not being detected, in the same way that we are free to ignore their requests and protect our users against any malware, whoever the cybercriminal and/or government is behind it.

 

Luis Corrons

PandaLabs Technical Director

Panda Security

Post to Twitter

  • (4) Comments

CryptoLocker

CryptoLocker is a new family of ransomware whose business model (yes, malware is a business to some!) is based on extorting money from users. This continues the trend started by another infamous piece of malware which also extorts its victims, the so-called ‘Police Virus’, which asks users to pay a ‘fine’ to unlock their computers. However, unlike the Police Virus, CryptoLocker hijacks users’ documents and asks them to pay a ransom (with a time limit to send the payment).

crypto-main

 

Malware installation

CrytoLocker uses social engineering techniques to trick the user into running it. More specifically, the victim receives an email with a password-protected ZIP file purporting to be from a logistics company.

The Trojan gets run when the user opens the attached ZIP file, by entering the password included in the message, and attempts to open the PDF it contains. CryptoLocker takes advantage of Windows’ default behavior of hiding the extension from file names to disguise the real .EXE extension of the malicious file.

As soon as the victim runs it, the Trojan goes memory resident on the computer and takes the following actions:

  • Saves itself to a folder in the user’s profile (AppData, LocalAppData).
  • Adds a key to the registry to make sure it runs every time the computer starts up.
  • Spawns two processes of itself: One is the main process, whereas the other aims to protect the main process against termination.

File encryption

The Trojan generates a random symmetric key for each file it encrypts, and encrypts the file’s content with the AES algorithm, using that key. Then, it encrypts the random key using an asymmetric public-private key encryption algorithm (RSA) and keys of over 1024 bits (we’ve seen samples that used 2048-bit keys), and adds it to the encrypted file. This way, the Trojan makes sure that only the owner of the private RSA key can obtain the random key used to encrypt the file. Also, as the computer files are overwritten, it is impossible to retrieve them using forensic methods.

Once run, the first thing the Trojan does is obtain the public key (PK) from its C&C server. To find an active C&C server, The Trojan incorporates a domain generation algorithm (DGA) known as ‘Mersenne twister’ to generate random domain names.  This algorithm uses the current date as seed and can generate up to 1,000 different fixed-size domains every day.

crypto-code

DGA pseudocode

After the Trojan has downloaded the PK, it saves it inside the following Windows registry key: HKCU\Software\CryptoLocker\Public Key. Then, it starts encrypting files on the computer’s hard disk and every network drive the infected user has access to.

CrytoLocker doesn’t encrypt every file it finds, but only non-executable files with the extensions included in the malware’s code:

crypto-list

List of extensions found in a CrytoLocker sample

Additionally, CrytoLocker logs each file encrypted to the following registry key:

HKEY_CURRENT_USER\Software\CryptoLocker\Files

When the Trojan finishes encrypting every file that meets the aforementioned conditions, it displays the following message asking the user to make a ransom payment, with a time limit to send the payment before the private key kept by the malware writer is destroyed.

crypto-main

 

Curiously enough, the malware doesn’t ask users for the same amount of money, but incorporates its own currency conversion table.

crypto-table

 

Conclusions

This malware spreads via email by using social engineering techniques. Therefore, our recommendation is to be particularly wary of emails from senders you don’t know, especially those with attached files. Disabling hidden file extensions in Windows will also help recognize this type of attack.

Additionally, we’d like to remind you of the importance of having a backup system in place for your critical files. This will help mitigate the damage caused not only by malware infections, but hardware problems or any other incidents as well.

If you become infected and don’t have a backup copy of your files, our recommendation is not to pay the ransom. That’s NEVER a good solution, as it turns the malware into a highly profitable business model and will contribute to the flourishing of this type of attack.

 

Post to Twitter

  • (10) Comments

Back to school sales… or not

Summer is -almost- over, kids are going back to school and we can find many type of offers to buy new computers, software… and cyber-criminals will try to take advantage of this too. Recently we have spotted yet another family of a ransomware (police virus). While the behavior was really similar to other families, in this case the main difference that attracted my attention was the price: usually they ask for around US$100, this time the price was really cheap:

fakeavcheap

Just US$10.95, really cheap. As in real world, competition usually leads to better prices, and in this case it is translated in an smaller price to recover our computer. For now we have only seen this approach in one ransomware family, the rest keep with the same US$100 price. This is one was captured last week:

Ransom

The only change in this one is the use of a picture of the king of Spain to reinforce the message, with the use of the Spanish 2 main law enforcement agencies, and Interpol logo in the background. It asks for 100€ to get the code to unlock your computer.

Yesterday we captured a new sample of a new ransomware family. We have taken a closer look at it as usually these ransomware are programmed in visual c++ and this one was packed using Aspack and programmed in Delphi. It uses an Adobe Flash icon to mislead the victim: Icono

 

It has turned out to be one of the nastiest pieces of ransomware out there, it is not the first time we have spotted one of these but it is disturbing: the screen that appears in your desktop has the typical message, then you have a video frame that shows what it can be seen from your webcam, and next to it there are real child porn pictures (obviously censored in this screenshot):

1

Really disgusting, these moments make me think that we should help law enforcement even more than we already do. This one was asking for 100€.

Finally, this morning has arrived yet another one, although the guys behind it are not in favor of  “back to school sales”:

ransom

Yes, they ask for US$300, three times the usual price! This is the most expensive police ransomware we have captured so far.

Post to Twitter

  • (0) Comments

Summer is here

Despite some of us have already had a small taste of our summer vacation, most people in the northern hemisphere will start theirs very soon, so I’d like to take this opportunity to give you a few tips for you to enjoy your well-deserved rest with complete peace of mind.

  • Before anything else, back up your important information. You never know what might happen (unforeseen accidents, theft of your electronic devices, etc.)
  • Password-protect your devices. Many of you will be taking your laptops, tablets, etc. with you, so password-protect them to prevent others from accessing your data in case of theft or loss.
  • Use caution with social networking sites:People give out too much information about their holiday plans on social networking sites, even tipping criminals off about their empty homes. Check your privacy settings and avoid sharing private information on social networks.
  • Install parental controls. Children spend more time in front of computers during summer vacation. Installing a good parental control program on the computer will help minimize children’s vulnerability on the Internet.
  • If you can avoid it, never use a shared computer: If using a shared or public computer on vacation is a must, prevent identity theft by making sure your account doesn’t automatically save your password and user ID. If you suspect the computer’s security has been compromised by a virus, leave it and use another. Take care when connecting an external device to the computer, as it may become infected without your knowledge.
  • Take care with email: Email is one of the main virus entry points, so pay special attention to it. Do not open messages from unknown senders or click on dubious links.
  • Beware of public Wi-Fi networks. With a Wi-Fi network you never know who else is connected to the same network and if someone is monitoring network traffic. When you connect to email, social networking sites or online stores, make sure you are using a secure connection (https), so that traffic is encrypted and no one else can access the information. The safest thing to do is use a VPN connection that encrypts all information coming out of your device.
  • Keep your computer up-to-date: Malware seeks to exploit existing security holes in systems to infect them. Make sure all necessary security patches and updates are properly installed. If you left your computer at home, this is the first thing you should do as soon as you turn it on again.
  • Protect your computer: Make sure you have reliable, up-to-date protection installed on your computer. There are many free, reliable solutions on the market, like Panda Cloud Antivirus, available for download at www.cloudantivirus.com

Post to Twitter

  • (0) Comments

United Nations, Parents, Global Days, Social Networks… and Security

It turns out that 1st of June is “Global Day of Parents”. When I was told that last week I thought it was some kind of joke, but then I did some research and it was true! This is the deal: United Nations, that lovely organization composed mainly of dictatorships ;) adopted a resolution (passed by the General Assembly) to create this day. If you still do not believe it you can check the source here. It seems they like spending their time creating a lot of “Global Days”, here is the full list.

To be honest, as I became a father recently I though it was fine, just a new day I could get some gifts… but seriously, what can we do from here? As readers of this blog, you are concerned about security, which is fantastic, and we all have and know of parents that are starting to use Internet (my mother just bought her first tablet last week!) and are not really aware of some of the dangers they can face. Social Networks are the place where most of the Internet users spend their time, so we should start giving a few security tips focused on Social Networks:

  • Don’t share personal information on social networking sites. Never post your phone number, your address or other private information on your Facebook profile, for example. Your friends and family already know that information and, as for the rest of people, well, they don’t need it really…
  • Set strong passwords for your social media accounts. Don’t use any personal information. Otherwise, someone who knows you or can research you online could guess your password. Use a combination of upper- and lower-case letters, numbers and special characters. How long do you think it would take one of your Facebook contacts to guess your password if you used your name and date of birth?
  • Use different passwords for each of the online services you use and change them regularly. If you fall victim to an attack and someone steals your Twitter login information, for example, don’t let them also access your Facebook, LinkedIn or other social media accounts you may have.
  • Be selective about who you accept as a friend on a social network. Avoid chatting with strangers. Be careful what type of information you share with people you only know from Facebook.
  • If you are using a shared computer, make sure you log off completely from any programs you have accessed using a user name and password. Otherwise, other users could easily access your Facebook or Twitter profiles, etc., and all the information they contain.
  • Don’t provide more information than is necessary on your social media profiles. When creating your user profile, don’t provide more information than is necessary. If you are required to enter private data like your email address, select the option to prevent other users from seeing it.
  • Just as you wouldn’t accept a gift from a complete stranger on the street, don’t accept files or anything else you might be offered on social networking sites. Always use your common sense.
  • Use caution when clicking on links! Cyber-crooks use false news, eye-catching videos, etc. to try to trick users on Twitter and Facebook. If, after clicking a link, you are requested to enter your user name and password… Don’t do it! Many Internet scams use fake websites similar to Twitter or Facebook in an attempt to look genuine.

Post to Twitter

  • (0) Comments

PandaLabs Quarterly Report – Q1 2013

We have just published our Quarterly Report for Q1 2013, analyzing the IT security events and incidents from January through March 2013. If you want to be aware of the latest security trends, the latest cyber-war cases… don’t wait any longer, you can download our latest report from our Press Center

Post to Twitter

  • (0) Comments

The Importance of Strong Passwords on Social Media

Last Tuesday, April 23, the Twitter account of the Associated Press news agency was hacked and sent out a hoax tweet reporting that President Barack Obama had been injured by an explosion in the White House. Within seconds, Wall Street was in panic mode and US stock plunged.

Situations like this illustrate once again the dangers of using weak passwords not only for home users but in corporate environments as well. Today, social networking sites are very often the first point of contact between users and companies, and special care should be taken to strengthen the security of social media accounts.

When a Twitter account is hacked, the public normally thinks it has been the result of some highly sophisticated attack perpetrated with complex programs and all sorts of stealth systems only accessible to some privileged minds… Well, in reality, things are usually much simpler. In most cases, the so-called “hacker” simply guess their victim‘s password. The most complex attacks are actually those where the attacker tricks the user into re-entering their credentials in some system unaware of the fact that, in reality, they are submitting their data to a cyber-criminal (which, by the way, was exactly what happened in the AP Twitter hack).

Two months ago, Burger King’s Twitter account was also hacked. Its background picture was changed to a McDonald’s image, and a message was posted announcing that the company had been sold to their rivals. It is not known what password Burger King used, but I would say “whopper” is one of the safest bets… The AP attack might look like an isolated incident, but unfortunately these attacks are far more common than it seems. In fact, the group behind the hack, the self-proclaimed “Syrian Electronic Army”, also hacked the Twitter accounts of watchdog organization Human Rights Watch, French news service France 24 and the BBC’s weather service.

But it is not only Twitter accounts that are at risk. Many of us still remember the theft of a series of compromising photos from Scarlett Johansson’s cell phone for example. Preliminary investigation seemed to indicate that a hacker had been able to launch a cyber-attack on the American actress’s cell phone, accessing her personal information. Later, however, it was found out that the ‘hacker’  was simply a man with a penchant for hacking into celebrities’ accounts who had been able to guess the star’s email address password.

Let me finish by offering you a series of simple tips about social media passwords that will help you protect yourselves from this type of attack:

  • Size matters: The longer the password, the safer it will be.
  • Do not use personal information (your name, your phone number, etc.) to create passwords.
  • NEVER use the same password for multiple accounts.
  • Use passwords that are a combination of numbers, letters and special characters. The more complex the password, the safer it will be.
  • Change your passwords frequently.

Do not reveal your passwords or send them via email.

Post to Twitter

  • (0) Comments

Twitter, Facebook, Apple, Microsoft… who is left?

If we had to elaborate a list with the top tech companies who have being hacked in the last weeks, we should include all the ones in the title of this blog post, and maybe a few more cases we are still not aware of.

The first one was Twitter. On February 1st Twitter published an article in their blog, “Keeping our users secure“. They explained they had been victims of an attack, and that information from 250,000 users had been accessed.

A couple of weeks later, Facebook published an article in their blog, titled “Protecting People On Facebook“. It looks like no customer data was compromised in this attack.

The next victim was Apple, just a few days after Facebook announcement, they told Reuters they had also been targeted using the same attack.

And last, but not least, Microsoft recognized they also had been victims of the same attack.

Not a bad list of companies, isnt’t it? Maybe we will see some more (Google is in the same target level, for example, or Amazon, or IBM…) but that’s not the point of this article. What can we learn? Of course there is a lot of information we don’t know yet, however we can see some positive outcome and 1very important task to do:

- Companies are not afraid of recognizing being targets of this kind of attacks.

- They have good security teams which have been able to identify the attacks as they were taking place.

Task to do:  We all should stop using Java in the browser. All these attacks were successful thanks to yet another 0-day vulnerability in Java. Disable it now.

People involved in computer security know that there is not a 100% safe place. You can take a number of preventive measures, and they will work well most of the times. But there is always some weak point, some new vulnerability, some human error, and out of the thousands of attacks that such big companies receive on a daily basis, one could succeed.

And being able to identify a current attack is critical. And Twitter, Facebook, Apple and Microsoft were able. They all are gathering information about the attack. They all are working with law enforcement to find out who is behind this attack.

If you are responsible for a medium / small company, you may think you do not have to worry as much as those biggies as you are not such a sexy target. That is partially true, you probably will get a small number of targeted attacks (if any), however you will be hit constantly with the usual cybercrime attacks that infect millions of computers.

According to PandaLabs 2012 Anual Report, 1/3 of all computers were infected at some point last year. And cybercriminals love low-hanging fruit. If you have computers without protection, without updated software, without a serious security plan, you will be the next.

Most computer infections nowadays come from exploit kits, which will infect the user’s computer without his knowledge through some software vulnerability. More than a 90% of these cases are Java vulnerabilites through the browser, so the best way to avoid these infections is simple: DISABLE JAVA IN YOUR BROWSER. NOW. WHAT ARE YOU WAITING FOR?

If for any reason you need Java in the browser to run some application, then use it in a secondary browser.

Post to Twitter

  • (0) Comments

A look back at cyber-security in 2012

PandaLabs_Annual_Report_2012

Post to Twitter

  • (0) Comments
  • Become a fan!


    Panda Security on Facebook
  • Blogroll

  • Categories